I'm trying to create a PHP web interface for a staging->production publishing script. The web interface is secure (intranet,passworded etc) so I am happy to for apache act as the root user to perform the rsync. There is no password for the root user, a keyfile is used for SSH access.
I have tried sudo-ing the rysnc command in the shell script...
sudo rsync --verbose --recursive --times --perms --links --delete /tmp/dir1/* /tmp/dir2/
And allowing apache to run rsync by adding the following to the sudoers file...
apache ALL=(ALL) NOPASSWD:/usr/bin/rsync
I am using PHP shell_exec to invoke the script...
$result = shell_exec('bash /tmp/syncscript.sh 2>&1');
I get the following error...
sorry, you must have a tty to run sudo
How can I setup so I can run the rsync command as though I were the root user?
Thanks!
You might want to try what i wrote in this post if you want to use SUDO from PHP. It solved all my problems and i have a similar setup to yours, i have a DEV server internally but i want it to do things that only root can...
How to use exec() in php in combination with ssh 'hostname' command?
Good luck
In the end went for a non-sudo approach to this problem. Used phpseclib to get a connection to the box as a user that could do what I needed (not apache). And then made sure that the dirs/files that were being targetted in the rsync operation were accessible to this user.
Seems simple now I look back on it.
Related
I have set up a github webhook to talk to my webserver api (server is apache2). I securely check for the github secret using the encryption of the payload, as specified on their help page.
When a push to master is done on the repo of the web application, a script (deploy.sh) is triggered via <?php exec. If I trigger this script manually, as root, everything is perfect. But of course, the user that triggers the script on normal circumstances is www-data.
My question is what is the best practice for www-data to do a git pull of the new repo? I have mostly discarded doing exec sudo, but maybe that is the way. One problem of the many that i'm facing with making www-data trigger a git pull is that the ~/.ssh/id_rsa file is only set up for root (when building the server image on docker). Its a read-only ssh-key.
This is a legacy application so what really worries me is that through some php exploit someone could do the exec without being github. And from there escalate to get read access to the repo or something worse.
The question is really, what is the best practice to update a web application using a webhook
Solution was allowing www-data to sudo only the deploy command:
echo 'www-data ALL=(ALL) NOPASSWD: /var/my-cool-scripts/deploy.sh' | sudo EDITOR='tee -a' visudo
on php:
exec('sudo -n /var/my-cool-scripts/deploy.sh')
PS: actually used this neat trick to know the execution was okay
$did_the_script_run_okay = exec('sudo -n /var/my-cool-scripts/deploy.sh') == "okay" || false;
last line of deploy.sh:
echo "okay"
the exec command returns the last line echoed by the command, so i check that to ensure complete execution
What should I do to securely run some CordovaCLI commands such as: cordova prepare, cordova clean, cordova platform add android with Apache Cordova 5+ in Linux Ubuntu web server by running a bash script, or even better from within a php script?
I solved this (not sure if this is securest way though).
I added
NOPASSWD:path/to/bash/script
directive to my www-data section on /etc/sudoers file
Then I set the owner of bash-script.sh to www-data
Finally I executed a shell within php using
sudo -u www-data /path/to/bash/script/bash-script.bash
And, so far, it is working, although I am not sure this is a secure method to consider it the definitive solution.
Here is a project that gives you a real Bash Shell: https://github.com/merlinthemagic/MTS
Once installed you get a shell the following way:
$shellObj = \MTS\Factories::getDevices()->getLocalHost()->getShell('bash', false);
The $shellObj now contains a shell object logged in as the same use that executes php.
Now you can execute commands against that shell the following way:
$returnData1 = $shellObj->exeCmd("cordova clean");
//or
$returnData2 = $shellObj->exeCmd("cordova platform add android");
Your question centers on security and the shell is logged in as the same user that runs php, so no elevation is performed. However if you require elevated access to execute the cordova binary then allow your web-server user sudo access to the binary.
I am trying to rsync file from local to remote server.
When i do this on console it works:
rsync -avzhe ssh /var/www/folder1/file5
root#192.168.56.74:/var/www/folder2
but when i do this on my php and run the php script, it doesn't work:
$rysncCommand = "rsync -avzhe ssh /var/www/folder1/file5 root#192.168.56.74:/var/www/folder2";
shell_exec($rysncCommand);
There is no error shown, so i can't really tell what is the error. Is there something wrong with my php script?
First, you need to check if you need to be a root or (sudo user) for running rsync.
If yes then exec() command will only work if it is run by same user on php-cli (not on browser by Apache user). i.e. Which user you are loggined into shell for run rsync.
If it is root or any elavated permission user with sudo permission then, This rsync command may not be available to apache/www-data user which is working when php script run from browser.
So You try to make a normal user and login through it, Then try rsync if you are successful then it may be interesting to see what are other problems can be, But if you getting access/permission denied then obviously you can not run this script at-least on browser.
Besides this One more thing permission may not be directly related to rsync command itself but with folder /etc/test/ which is owned by root user in normal scenario.
For more details you can check this Stack Overflow Link .
i am using arch linux. i want to execute the php file which changes the ip of the system. i did
ifconfig eth0 192.168.163.137
in the terminal and it works fine. the same i tried doing with
shell_exec('ifconfig eth0 192.168.163.137');
in a php file and tried opening the page from a remotely located web browser from another pc connected via router. teh page displays nothing and the code also doesnt execute. i guess its the problem with the user executing it.apache is executing it. so i want it to be run by the root.can anyone please guide me to the execution of my code. i even installed sudo and just put
shell_exec('sudo ifconfig......');
it too doesnt execute...please help...thanku..:)
Sudo normally requires an interactive shell to enter your password. That's obviously not going to happen in a PHP script. If you're sure you know what you're doing and you've got your security issues covered, try allowing the Apache user to run sudo without a password, but only for certain commands.
For example, adding the following line in your sudoers file will allow Apache to run sudo without a password, only for the ifconfig command.
apache ALL=NOPASSWD: /sbin/ifconfig
Adjust the path and add any arguments to suit your needs.
Caution:
There might still be complications due to the way PHP calls shell commands.
Remember that it's very risky to allow the web server to run commands as root!
Probably a better alternative:
Write a shell script with the suid bit to make it run as root no matter who calls it.
shell_exec
This function is disabled when PHP is running in safe mode.
Documentation : http://php.net/manual/en/function.shell-exec.php
So, maybe try tweaking your php.ini file?
Write the commands to a queue and have cron pick them up, validate them (only allow known good requests), and run them, then mark that queue complete with the date and result.
Your end-user can then click/wait for update using ajax.
I want to do SVN update easier - with calling PHP script.
I created PHP script:
$cmd = "svn update https://___/svn/website /var/www/html/website/ 2>&1";
exec($cmd, $out);
As the user running the script is apache (not root), I get some permission errors.
If I change the owner of every directory to apache (or chrown everything to 777) I have another problem. Because I use https protocol user apache should permanently accept certificate of the svn server. I tried to do "su - apache" and accept certificate but OS says that "apache" is not valid user. I also dont know how could I accept certificate with exec() function.
Any idea? How can I make svn update-ing easier?
Is the error telling you that the user isn't a valid svn user? If apache is the user running httpd, you should be able to su to it. This is the script I use:
/usr/bin/svn --config-dir=/home/user/.subversion --username=svnuser --password=svnpass update
once the password is saved you can remove it from the command. Again, make sure the user/pass above is a valid SVN user.
Lately I've actually migrated to using Hudson for svn updates as you can schedule it as well as run manually and do a bunch of other tasks, plus you can view the svn logs for each commit as well as any console errors.
Why not use php svn functions instead of (insecure) exec?
http://www.php.net/manual/en/function.svn-auth-set-parameter.php has good examples for authentification options.
Use getent apache on the shell. This will return the shell of apache. Most likely, it is /bin/nologin or /bin/false. Change this to /bin/bash. You'll also need to specify the home directory and create it on the file system.
UPDATE: getent apache will actually return the entry in the /etc/passwd file for the apache user. The last token in this string is the shell.